Security Considerations

This chapter provides information on the security considerations of Novell® Kerberos KDC:

  1. Use SSL mutual authentication or SASL EXTERNAL bind for authenticating the Kerberos services.
  2. Secure the connection between your Web browser and the iManager server with SSL and the connection between iManager and Novell eDirectoryTM. Failing to do so will cause the Kerberos sensitive data like master key and principal key to be sniffed during the creation of the realm and principals.
  3. Protect the following files with appropriate file system rights:
    • Configuration file (/etc/krb5.conf)
    • Service password stash file (specified with the ldap_service_password_file parameter in /etc/krb5.conf)
    • ACL file for administration (specified with the acl_file parameter in /etc/krb5.conf)
    • Password dictionary file (specified with the dict_file parameter in /etc/krb5.conf)
    • Certificate files of Kerberos service.
    • Trusted root certficates of the LDAP servers (specified with the ldap_root_certificate_file parameter in /etc/krb5.conf)
    • Log files of KDC, Administration, and Password servers, as these contain auditing information.
    • Kerberos keytab files (default location is /etc/krb5.keytab)

    All these files must be stored only on the local storage device and not on remotely mounted devices. The recommended file permissions for these files are RW for root. Additionally, protect these files during backup and restore operations.

  4. Use the strongest cryptographic algorithm for the master and principal keys. Use DES and RC4 only for interoperability with other Kerberos distributions.
  5. Keep the Kerberos servers in a physically secure location with the access only to the authorized personnel.
  6. TGS (krbtgt/REALM@REALM), Administration service (kadmin/admin@REALM), and Password service (kadmin/changepw@REALM) principal keys must be randomly generated and periodically reset.

IMPORTANT:  We do not recommend the use of Administration server, as it needs almost the supervisor rights. Instead, we recommend using kadmin.local that directly communicates with eDirectory using LDAP over SSL. We also recommend you to use the Novell Kerberos KDC iManager plug-ins.